Clever Geek Handbook

Spring authorization and role management with Ldap

I am devoloping a spring java app and I want to use ladp for apache directories to manage users, so I want to give each user a role and manage what I was using spring.

This is my security-context.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">


<security:authentication-manager>
    <security:ldap-authentication-provider
        user-search-filter="(uid={0})" user-search-base="ou=users"
        group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
        group-role-attribute="cn" role-prefix="ROLE_" />

</security:authentication-manager>
<security:ldap-server url="ldap://localhost:8389/o=mojo"
    manager-dn="uid=admin,ou=system" manager-password="secret" />
<security:http use-expressions="true">
    <security:intercept-url pattern="/" access="hasRole('ROLE_Admin')" />
    <security:form-login />
</security:http>

and this is my ldap hierarchy

and this is my ldap hierarchy

This doesn't work for me and gives me a 403 error for access denied even when I'm logged in with administrator privileges.

Any help?

+3


source to share


2 answers


Try to set up your role in <security:intercept-url pattern="/" access="hasRole('ROLE_ADMIN')" />

this way.

By default <security:ldap-authentication-provider />

, which automatically configures org.springframework.security.ldap.authentication.LdapAuthenticationProvider creates an instance of org.springframework.security.ldap.userdetails.LdapUserDetailsMapper , which by default has the following properties:

public class LdapUserDetailsMapper implements UserDetailsContextMapper {
    // ~ Instance fields
    // ================================================================================================

    private final Log logger = LogFactory.getLog(LdapUserDetailsMapper.class);
    private String passwordAttributeName = "userPassword";
    private String rolePrefix = "ROLE_";
    private String[] roleAttributes = null;
    private boolean convertToUpperCase = true;


And so on, since convertToUpperCase is set to true, this method

/**
     * Creates a GrantedAuthority from a role attribute. Override to customize authority
     * object creation.
     * <p>
     * The default implementation converts string attributes to roles, making use of the
     * <tt>rolePrefix</tt> and <tt>convertToUpperCase</tt> properties. Non-String
     * attributes are ignored.
     * </p>
     *
     * @param role the attribute returned from
     * @return the authority to be added to the list of authorities for the user, or null
     * if this attribute should be ignored.
     */
    protected GrantedAuthority createAuthority(Object role) {
        if (role instanceof String) {
            if (this.convertToUpperCase) {
                role = ((String) role).toUpperCase();
            }
            return new SimpleGrantedAuthority(this.rolePrefix + role);
        }
        return null;
    }

finally converts your ou:groups

Admin

to ROLE_ADMIN

which doesn't matchROLE_ADMIN

+2


source


the error was that in my LDAP hierarchy I have to name the group cn=ROLE_ADMIN

not cn=Admin

because I have role-prefix="ROLE_"

in the security-context.xml file



-1


source






More articles:


All Articles